verify-sign
Pass
Audited by Gen Agent Trust Hub on Jun 15, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is authored by Harness and interacts exclusively with the Harness platform via the harness-mcp-v2 server. All operations including fetching, listing, and updating pipelines are performed using authorized platform tools.
- [SAFE]: Secret management follows best practices. The skill uses Harness secret references such as account.cosign_public_key rather than hardcoding sensitive data. It correctly differentiates between private keys used for signing and public keys used for verification.
- [SAFE]: The skill includes preflight checks to ensure that delegates are active and connectors are healthy before attempting to update deployment configurations, which prevents broken pipeline states.
- [SAFE]: Instructions for modifying pipeline YAML are specific to adding security verification steps and explicitly warn against adding unrelated scanners or modifying unrelated logic.
Audit Metadata